Tuesday, March 26, 2013

Making Orange JAM - analyzing Sweet Orange EK Java Archive files

After serving fresh orange juice the other day(Sweet orange EK analysis), grabbing all the evil files off the Sweet Orange exploit kit. We are now sitting here with piles of squeezed orange leftovers. What better idea than to go all the way and make some jam of the leftovers.

To the task of understanding, deobfuscating and reversing Sweet Orange EK JARs. I'm still working on my Python skills so I will throw in some Python code to learn. And my Java FU is not getting better so handling that code is not the way to understand what these bad guys are up to.

But lets see if we can figure out what theyre are up to this time. (see the link above if you need to look into how to pull the archives from the kit).

1. Pull the archive in jd-gui

Lots of strangly named class files. Note that YDXIOXz.bmbf is not even a class. We have located the Class with the applet where the execution starts, just have to look in the Init() method to see what fun stuff is done here

2. Init()

Not much; just instantiatin of QcVEtjNkP

3. Moving on

Finally something is happening: Reading that resource we noted right out of the archive YDXIOXz.bmbf. Creates the Class and moves on to instantiate the class.

Here is is the trick to execute priveleged: CVE-2013-0442; in more detail here

The URL strings are manipulated this way

Here they build the URL to the exe payload they will fetch. Writing the file to java.io.tmpdir and setting it up be registered as a service and executed.

Finally here is how they manipulate the exe payload before they write it to disk.

4. Overview

So we have covered the basic outline of what the applet wants to do: read(probably a obfuscated class) from the archive, use the vulnerability in com.sun.jmx.mbeanserver.MBeanInstantiator to be able to load classes in previledged mode, invoke the YDXIOXz.bmbf mystery class and then fetch some eviel code and run that on some poor innocent guys computer.

5. Deobfuscation

To bring in some fun into this task, lets see if we can create some Python code to deobfuscate and decrypt their bad code.

5a. Lets look into the mystery resource

First thing first; read the file and replace the SPAM. Fortunately, as in opposite to Mony Python movies, we are allowed to remove the SPAM from these dishes. Whatch on youtube

Mmmm - SPAM reduction worked and looks like we are looking into a Java Class file which in hex starts with CAFEBABE. Just generate bytecode, disassemble and we have the class to look at(for details on dissasembly look here):

Fun stuff: disabling the Java SecurityManager. Well chosen name disabler :) Kudos for originality. My choice: getRidOfSecurityManagerGoMakeSomeNiceGuysDayMiserable - But what do I know about JAva coding...

6. Epilogue

So we have been able to verify that the SO EK is using CVE-2013-0422 as the vector to gain illegal access to others computers. How they obfuscate the code to lure researcher and evade detection mechanisms. We have dissected the code and finally we have not only freshlt sqeezed Sweet Orange juice but we have jam to go with the bread as well.